mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-07 04:24:08 +02:00
Merge branch 'master' into add-virtualenv-information
This commit is contained in:
Jack Ivanov
GitHub
commit
1e80f03d4c
6 changed files with 27 additions and 16 deletions
|
|
@ -35,7 +35,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua
|
||||||
|
|
||||||
macOS: `sudo easy_install pip`
|
macOS: `sudo easy_install pip`
|
||||||
|
|
||||||
Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y`
|
Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip python-setuptools build-essential libssl-dev libffi-dev python-dev -y`
|
||||||
|
|
||||||
Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md)
|
Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,19 @@
|
||||||
until: ssh_keys.changed != true
|
until: ssh_keys.changed != true
|
||||||
retries: 10
|
retries: 10
|
||||||
delay: 1
|
delay: 1
|
||||||
|
|
||||||
rescue:
|
rescue:
|
||||||
|
- name: Collect the fail error
|
||||||
|
digital_ocean:
|
||||||
|
state: absent
|
||||||
|
command: ssh
|
||||||
|
api_token: "{{ do_access_token }}"
|
||||||
|
name: "{{ SSH_keys.comment }}"
|
||||||
|
register: ssh_keys
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- debug: var=ssh_keys
|
||||||
|
|
||||||
- fail:
|
- fail:
|
||||||
msg: "Please, ensure that your API token is not read-only."
|
msg: "Please, ensure that your API token is not read-only."
|
||||||
|
|
||||||
|
|
@ -51,7 +63,7 @@
|
||||||
do_access_token: "{{ do_access_token }}"
|
do_access_token: "{{ do_access_token }}"
|
||||||
do_droplet_id: "{{ do.droplet.id }}"
|
do_droplet_id: "{{ do.droplet.id }}"
|
||||||
cloud_provider: digitalocean
|
cloud_provider: digitalocean
|
||||||
ipv6_support: yes
|
ipv6_support: true
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
cloud_instance_ip: "{{ do.droplet.ip_address }}"
|
cloud_instance_ip: "{{ do.droplet.ip_address }}"
|
||||||
|
|
|
||||||
|
|
@ -31,8 +31,8 @@
|
||||||
createhome: yes
|
createhome: yes
|
||||||
generate_ssh_key: yes
|
generate_ssh_key: yes
|
||||||
shell: /bin/false
|
shell: /bin/false
|
||||||
ssh_key_type: rsa
|
ssh_key_type: ecdsa
|
||||||
ssh_key_bits: 2048
|
ssh_key_bits: 256
|
||||||
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
|
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
|
||||||
ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
|
ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
@ -41,7 +41,7 @@
|
||||||
|
|
||||||
- name: The authorized keys file created
|
- name: The authorized keys file created
|
||||||
file:
|
file:
|
||||||
src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
|
src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub'
|
||||||
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
|
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
|
||||||
owner: "{{ item }}"
|
owner: "{{ item }}"
|
||||||
group: "{{ item }}"
|
group: "{{ item }}"
|
||||||
|
|
@ -57,7 +57,7 @@
|
||||||
template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
|
template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
|
||||||
|
|
||||||
- name: Fetch users SSH private keys
|
- name: Fetch users SSH private keys
|
||||||
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
|
fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
|
||||||
with_items: "{{ users }}"
|
with_items: "{{ users }}"
|
||||||
|
|
||||||
- name: Change mode for SSH private keys
|
- name: Change mode for SSH private keys
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
- name: Iptables configured
|
- name: Iptables configured
|
||||||
template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
|
template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
|
||||||
when: ipv6_support is defined and ipv6_support == "yes"
|
when: ipv6_support is defined and ipv6_support == true
|
||||||
with_items:
|
with_items:
|
||||||
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
|
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
|
||||||
notify:
|
notify:
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,11 @@
|
||||||
- name: Gather Facts
|
- name: Gather Facts
|
||||||
setup:
|
setup:
|
||||||
|
|
||||||
|
- name: Enable IPv6
|
||||||
|
set_fact:
|
||||||
|
ipv6_support: true
|
||||||
|
when: ansible_default_ipv6.gateway is defined
|
||||||
|
|
||||||
- name: Generate password for the CA key
|
- name: Generate password for the CA key
|
||||||
shell: >
|
shell: >
|
||||||
< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-12};echo;
|
< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-12};echo;
|
||||||
|
|
@ -17,7 +22,7 @@
|
||||||
when: Win10_Enabled is defined and Win10_Enabled == "Y"
|
when: Win10_Enabled is defined and Win10_Enabled == "Y"
|
||||||
|
|
||||||
- name: Install StrongSwan
|
- name: Install StrongSwan
|
||||||
apt: name=strongswan state=latest update_cache=yes
|
apt: name=strongswan state=latest update_cache=yes install_recommends=yes
|
||||||
|
|
||||||
- name: Enforcing ipsec with apparmor
|
- name: Enforcing ipsec with apparmor
|
||||||
shell: aa-enforce "{{ item }}"
|
shell: aa-enforce "{{ item }}"
|
||||||
|
|
@ -46,9 +51,8 @@
|
||||||
|
|
||||||
- name: Configure ip6tables so IPSec traffic can traverse the tunnel
|
- name: Configure ip6tables so IPSec traffic can traverse the tunnel
|
||||||
iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
|
iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
|
||||||
when: ((security_enabled is not defined) or
|
when: ((security_enabled is not defined) or (security_enabled is defined and security_enabled != "y")) and
|
||||||
(security_enabled is defined and security_enabled != "y")) and
|
(ipv6_support is defined and ipv6_support == true)
|
||||||
ipv6_support is defined and ipv6_support == "yes"
|
|
||||||
notify:
|
notify:
|
||||||
- save iptables
|
- save iptables
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -196,11 +196,6 @@
|
||||||
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
||||||
with_items: "{{ valid_users.stdout_lines | default('null') }}"
|
with_items: "{{ valid_users.stdout_lines | default('null') }}"
|
||||||
|
|
||||||
- name: SSH | Fetch users SSH private keys
|
|
||||||
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
|
|
||||||
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
||||||
with_items: "{{ users }}"
|
|
||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- debug:
|
- debug:
|
||||||
msg:
|
msg:
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue